NASHVILLE, TENN. — Under the FedRAMP program, contractors that provide cloud computing services to agencies are required to meet strict security requirements and pass an independent, third-party review.
That same model one day could serve as the basis for vetting companies that provide cybersecurity services to the government, according to one cybersecurity law expert.
“I think for cybersecurity it’s going to be the same thing,” Eric Crusius, a contract attorney at the Centre Law Group, told attendees at the National Contract Management Association conference Tuesday.
“You’ll have a third party that’s essentially certifying companies that they’re cybersecurity compliant and meeting certain standards, and once they’re cybersecurity compliant they can sell or do certain things with the government,” he said.
“So I could see the FedRAMP model being used especially for IT companies providing services to the government.”
During a session dubbed “The Cyber and Data Security Rules of the Road,” Crusius also highlighted numerous security breaches by hackers, including several targeting companies that had billed themselves as information technology firms that could keep the government safe from such intrusions.
And any presentation on cybersecurity would have been incomplete without some mention of Edward Snowden, the former Booz Allen Hamilton contract employee who leaked details about secret National Security Agency surveillance programs.
Crusius said the Snowden case reflects a need for better tracking of “digital footprints” to find out when someone starts snooping in areas where they’re not authorized to access.
“You can see what happens when somebody has unauthorized access,” Crusius said. “The problem was, he was smart enough to exceed his access. That’s a problem when you have systems in place that aren’t sophisticated enough for whatever reason to pick up on when somebody is going into certain areas they shouldn’t be going into.”